| Age | Commit message (Collapse) | Author |
|---|
|
skip uninitialised PKCS#11 slots; patch from Jakub Jelen
in bz#2427 ok markus@
Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
|
|
only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed; ok markus@
Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
|
|
remove -u flag to diff (only used for error output) to make
things easier for -portable
Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548
|
|
direct-streamlocal@openssh.com Unix domain foward
messages do not contain a "reserved for future use" field and in fact,
serverloop.c checks that there isn't one. Remove erroneous mention from
PROTOCOL description. bz#2421 from Daniel Black
Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac
|
|
describe magic for setting up Unix domain socket fowards
via the mux channel; bz#2422 patch from Daniel Black
Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861
|
|
On some platforms the native realpath doesn't work with non-existent
files (this is actually specified in some versions of POSIX), however
the sftp spec says its realpath with "canonicalize any given path name".
On those platforms, use realpath from the compat library.
In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
the realpath symbol to the checked version, so redefine ours to
something else so we pick up the compat version we want.
bz#2428, ok djm@
|
|
fix incorrect test for SSH1 keys when compiled without SSH1
support
Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451
|
|
fix NULL-deref when SSH1 reenabled
Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295
|
|
regen RSA1 test keys; the last batch was missing their
private parts
Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a
|
|
Adapt tests, now that DSA if off by default; use
PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA.
Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
|
|
regen test data after mktestdata.sh changes
Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4
|
|
adapt tests to new minimum RSA size and default FP format
Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e
|
|
legacy v00 certificates are gone; adapt and don't try to
test them; "sure" markus@ dtucker@
Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
|
|
don't expect SSH v.1 in unittests
Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397
|
|
turn SSH1 back on to match src/usr.bin/ssh being tested
Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333
|
|
Add "PuTTY_Local:" to the clients to which we do not
offer DH-GEX. This was the string that was used for development versions
prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately
there are some extant products based on those versions. bx2424 from Jay
Rouman, ok markus@ djm@
Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5
|
|
Turn off DSA by default; add HostKeyAlgorithms to the
server and PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@
Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
|
|
re-enable ed25519-certs if compiled w/o openssl; ok djm
Upstream-ID: e10c90808b001fd2c7a93778418e9b318f5c4c49
|
|
no need to include the old buffer/key API
Upstream-ID: fb13c9f7c0bba2545f3eb0a0e69cb0030819f52b
|
|
typedefs for Cipher&CipherContext are unused
Upstream-ID: 50e6a18ee92221d23ad173a96d5b6c42207cf9a7
|
|
xmalloc.h is unused
Upstream-ID: afb532355b7fa7135a60d944ca1e644d1d63cb58
|
|
compress.c is gone
Upstream-ID: 174fa7faa9b9643cba06164b5e498591356fbced
|
|
another SSH_RSA_MINIMUM_MODULUS_SIZE that needed
cranking
Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1
|
|
add an XXX reminder for getting correct key paths from
sshd_config
Upstream-ID: feae52b209d7782ad742df04a4260e9fe41741db
|
|
refuse to generate or accept RSA keys smaller than 1024
bits; feedback and ok dtucker@
Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
|
|
turn off 1024 bit diffie-hellman-group1-sha1 key
exchange method (already off in server, this turns it off in the client by
default too) ok dtucker@
Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
|
|
delete support for legacy v00 certificates; "sure"
markus@ dtucker@
Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
|
|
Compile-time disable SSH v.1 again
Upstream-ID: 1d4b513a3a06232f02650b73bad25100d1b800af
|
|
twiddle PermitRootLogin back
Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
|
|
twiddle; (this commit marks the openssh-6.9 release)
Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
|
|
better refuse ForwardX11Trusted=no connections attempted
after ForwardX11Timeout expires; reported by Jann Horn
Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21
|
|
put back default PermitRootLogin=no
Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
|
|
openssh-6.9
Upstream-ID: 6cfe8e1904812531080e6ab6e752d7001b5b2d45
|
|
reset default PermitRootLogin to 'yes' (momentarily, for
release)
Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
|
|
|
|
|
|
fatal() when a remote window update causes the window
value to overflow. Reported by Georg Wicherski, ok markus@
Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
|
|
Fix math error in remote window calculations that causes
eventual stalls for datagram channels. Reported by Georg Wicherski, ok
markus@
Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab
|
|
with Tim Rice
|
|
add getpid to sandbox, reachable by grace_alarm_handler
reported by Jakub Jelen; bz#2419
Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
|
|
Fix \-escaping bug that caused forward path parsing to skip
two characters and skip past the end of the string.
Based on patch by Salvador Fandino; ok dtucker@
Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd
|
|
patch from Jakub Jelen
|
|
correct test to sshkey_sign(); spotted by Albert S.
Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933
|
|
Revert previous commit. We still want to call setgroups
in the case where there are zero groups to remove any that we might otherwise
inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
to setgroups is always a static global it's always valid to dereference in
this case. ok deraadt@ djm@
Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
|
|
Revert previous commit. We still want to call setgroups in
the case where there are zero groups to remove any that we might otherwise
inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
to setgroups is always a static global it's always valid to dereference in
this case. ok deraadt@ djm@
Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
|
|
Don't count successful partial authentication as failures
in monitor; this may have caused the monitor to refuse multiple
authentications that would otherwise have successfully completed; ok markus@
Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3
|
|
Don't call setgroups if we have zero groups; there's no
guarantee that it won't try to deref the pointer. Based on a patch from mail
at quitesimple.org, ok djm deraadt
Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1
|
|
|
|
If AuthorizedPrincipalsCommand is specified, however
AuthorizedPrincipalsFile is not (or is set to "none"), authentication will
potentially fail due to key_cert_check_authority() failing to locate a
principal that matches the username, even though an authorized principal has
already been matched in the output of the subprocess. Fix this by using the
same logic to determine if pw->pw_name should be passed, as is used to
determine if a authorized principal must be matched earlier on.
ok djm@
Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d
|
|
Make the arguments to match_principals_command() similar
to match_principals_file(), by changing the last argument a struct
sshkey_cert * and dereferencing key->cert in the caller.
No functional change.
ok djm@
Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c
|
